Cashandler.A: New variant family of InfoStealer Trojan actively spreading in the wild. (Sep 8, 2017).

Description

The SonicWall Capture Labs Threat Research team has received reports of a
new variant family of InfoStealerTrojan [GAV:Cashandler.A] actively spreading
in the wild.

Cashandler
malware gathers confidential information from the computer such as login
details, passwords; financial information sends it to its own C&C
Server.

Infection Cycle:

The Malware adds the following files to the system:

The Trojan adds the following keys to the Windows registry startup:

Once the computer is compromised, the malware copies its own executable
file to Temp folder and runs following commands:

The malware's goal is to collect as much data as possible; attacker's
profit based on the level of user information that is collected. Thereby
more information collected leads to higher profits.

The malware also performs key logging and steals clipboard data from target
and saves in following registry key:

During our research we have noticed that hackers used a free yahoo email address account for their
malware,we were able to retrieve their credentials as they were hard coded into the malware. Once the
credentials were decrypted, we were able to access the hacker email account.

Command and Control (C&C) Traffic

Cashandler
performs C&C communication over HTTP protocol.

The malware sends the victim's Computer information to its own C&C server via
following format, here is an example:

SonicWall Gateway AntiVirus provides protection against this threat via the
following signature: